Skip to content
86 changes: 86 additions & 0 deletions config/base/generated-crds/operator.tekton.dev_tektonconfigs.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -975,6 +975,92 @@ spec:
namespace or in the Default field.
type: string
type: object
namespaceSync:
description: NamespaceSync controls per-namespace resource
provisioning by the NamespaceSyncController.
properties:
createCABundles:
description: CreateCABundles controls whether the CA bundle
ConfigMaps are created in each namespace.
type: boolean
createEditRoleBinding:
description: CreateEditRoleBinding controls whether the
openshift-pipelines-edit RoleBinding is created in each
namespace.
type: boolean
createPipelineSA:
description: CreatePipelineSA controls whether the pipeline
ServiceAccount is created in each namespace.
type: boolean
createSCCRoleBinding:
description: CreateSCCRoleBinding controls whether the
SCC RoleBinding is created in each namespace.
type: boolean
namespaceSelector:
description: NamespaceSelector is an optional label selector
that restricts which namespaces are synced.
properties:
matchExpressions:
items:
properties:
key:
type: string
operator:
type: string
values:
items:
type: string
type: array
required:
- key
- operator
type: object
type: array
matchLabels:
additionalProperties:
type: string
type: object
type: object
secretBindings:
description: SecretBindings declares secrets to be automatically
bound to the pipeline SA in each namespace. Each entry must
set exactly one of labelSelector or secretName.
items:
description: SecretBinding describes a secret or class of
secrets to bind to the pipeline SA.
properties:
labelSelector:
description: LabelSelector selects secrets by label.
All matching secrets in a namespace are bound.
properties:
matchExpressions:
items:
properties:
key:
type: string
operator:
type: string
values:
items:
type: string
type: array
required:
- key
- operator
type: object
type: array
matchLabels:
additionalProperties:
type: string
type: object
type: object
secretName:
description: SecretName binds a specific named secret
in each namespace to the pipeline SA.
type: string
type: object
type: array
type: object
type: object
type: object
profile:
Expand Down
2 changes: 1 addition & 1 deletion config/openshift/base/operator.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -38,7 +38,7 @@ spec:
image: ko://github.com/tektoncd/operator/cmd/openshift/operator
args:
- "-controllers"
- "tektonconfig,tektonpipeline,tektontrigger,tektonhub,tektonchain,tektonaddon,tektonresult,openshiftpipelinesascode,manualapprovalgate,tektonpruner,tektonscheduler,tektonmulticlusterproxyaae,syncerservice"
- "tektonconfig,tektonpipeline,tektontrigger,tektonhub,tektonchain,tektonaddon,tektonresult,openshiftpipelinesascode,manualapprovalgate,tektonpruner,tektonscheduler,tektonmulticlusterproxyaae,syncerservice,namespacesync"
- "-unique-process-name"
- "tekton-operator-lifecycle"
imagePullPolicy: Always
Expand Down
123 changes: 123 additions & 0 deletions docs/TektonConfig.md
Original file line number Diff line number Diff line change
Expand Up @@ -575,6 +575,129 @@ In the deployment the environment name will be converted as follows,
- `tekton-hub-api` => `TEKTON_HUB_API`
- `artifact-hub-api` => `ARTIFACT_HUB_API`

### NamespaceSync (OpenShift only)

The `namespaceSync` block under `spec.platforms.openshift` controls the **NamespaceSyncController**, which watches every user namespace and ensures Tekton-required resources are present and up to date. It replaces the legacy per-namespace batch loop that was part of the RBAC reconciler.

#### Resources managed per namespace

| Resource | Kind | Purpose |
|---|---|---|
| `pipeline` | `ServiceAccount` | Identity for PipelineRun pods |
| `pipelines-scc-rolebinding` | `RoleBinding` → `pipelines-scc-clusterrole` | Grants the pipeline SA permission to use the default SCC |
| `openshift-pipelines-edit` | `RoleBinding` → `ClusterRole/edit` | Gives the pipeline SA edit access within its namespace |
| `config-trusted-cabundle` | `ConfigMap` | CA bundle for custom/internal PKI trust |
| `config-service-cabundle` | `ConfigMap` | OpenShift service CA bundle |
| `openshift-pipelines-clusterinterceptors` | `ClusterRoleBinding` subject | Lets the pipeline SA call ClusterInterceptors |

#### Configuration fields

```yaml
spec:
platforms:
openshift:
namespaceSync:
createPipelineSA: true # create/maintain the pipeline SA
createSCCRoleBinding: true # create/maintain pipelines-scc-rolebinding
createEditRoleBinding: true # create/maintain openshift-pipelines-edit
createCABundles: true # inject CA bundle ConfigMaps

# Optional: restrict which namespaces are synced.
# Omit entirely to sync all non-system namespaces (default).
# Set to {} to opt out all namespaces without changing the flags above.
namespaceSelector:
matchLabels:
pipelines.openshift.io/sync: "true"

# Optional: automatically bind secrets to the pipeline SA.
# Use secretName for an exact name, or labelSelector to match by label.
secretBindings:
- secretName: pipeline-quay-openshift # Quay Bridge robot account secret
- labelSelector:
matchLabels:
quay-integration: my-quay # all secrets with this label
```

All boolean fields default to `true` when the `namespaceSync` block is present.

#### Disabling individual features

Set the flag to `false` to stop managing that resource class. Existing resources
are **not deleted** — the controller simply stops reconciling them:

```yaml
spec:
platforms:
openshift:
namespaceSync:
createEditRoleBinding: false # do not create openshift-pipelines-edit
```

#### Restricting sync to specific namespaces

Use `namespaceSelector` to limit which namespaces the controller acts on.
Label namespaces you want synced, then configure the selector to match:

```bash
# Label a namespace to opt in
oc label namespace my-project pipelines.openshift.io/sync=true
```

```yaml
spec:
platforms:
openshift:
namespaceSync:
namespaceSelector:
matchLabels:
pipelines.openshift.io/sync: "true"
```

To disable sync for **all** namespaces while keeping the feature flags intact,
set an empty selector:

```yaml
namespaceSync:
namespaceSelector: {} # matches nothing → no namespace is synced
```

#### Quay Bridge secret auto-binding

When the [Quay Bridge Operator](https://github.com/quay/quay-bridge-operator) is
installed, it creates a robot-account secret named `pipeline-quay-openshift` in
each namespace. Declare a `secretBinding` to have the NamespaceSyncController
automatically bind that secret to the `pipeline` SA as an image pull secret:

```yaml
spec:
platforms:
openshift:
namespaceSync:
secretBindings:
- secretName: pipeline-quay-openshift
```

Once configured:
- When the secret appears in a namespace it is added to both `imagePullSecrets`
and `secrets` on the `pipeline` SA within seconds.
- When the secret is deleted the reference is removed automatically.

#### Migration from legacy `spec.params`

Older releases controlled this behaviour through `spec.params` entries. The
operator automatically migrates these on the first webhook call after an upgrade:

| Legacy `spec.params` | Typed field |
|---|---|
| `createRbacResource: "false"` | `createPipelineSA`, `createSCCRoleBinding`, `createEditRoleBinding` all set to `false` |
| `createCABundleConfigMaps: "false"` | `createCABundles: false` |
| `legacyPipelineRbac: "false"` | `createEditRoleBinding: false` |

After migration the legacy params are removed from `spec.params` and the typed
fields take effect. There is no need to manually update the TektonConfig CR.

---

### OpenShiftPipelinesAsCode

The PipelinesAsCode section allows you to customize the Pipelines as Code features on both Kubernetes and OpenShift. When you change the TektonConfig CR, the Operator automatically applies the settings to custom resources and configmaps in your installation. On Kubernetes, configure `spec.platforms.kubernetes.pipelinesAsCode` (the managed CR remains `OpenShiftPipelinesAsCode` for API compatibility).
Expand Down
Loading
Loading